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ICO consultation on the draft updated data sharing 
code of practice 


Data sharing brings important benefits to organisations and individuals, 
making our lives easier and helping to deliver efficient services. 


It is important, however, that organisations which share personal data 
have high data protection standards, sharing data in ways that are fair, 
transparent and accountable. We also want organisations to be confident 
when dealing with data sharing matters, so individuals can be confident 
their data has been shared securely and responsibly. 


As required by the Data Protection Act 2018, we are working on updating 
our data sharing code of practice, which was published in 2011. We are 
now seeking your views on the draft updated code. 


The draft updated code explains and advises on changes to data 
protection legislation where these changes are relevant to data sharing. It 
addresses many aspects of the new legislation including transparency, 
lawful bases for processing, the new accountability principle and the 
requirement to record processing activities. 


The draft updated code continues to provide practical guidance in relation 
to data sharing and promotes good practice in the sharing of personal 
data. It also seeks to allay common concerns around data sharing. 


As well as legislative changes, the code deals with technical and other 
developments that have had an impact on data sharing since the 
publication of the last code in 2011. 


Before drafting the code, the Information Commissioner launched a call 
for views in August 2018. You can view a summary of the responses and 
some of the individual responses here. 


If you wish to make any comments not covered by the questions in the 
Survey, or you have any general queries about the consultation, please 


email us at datasharingcode@ico.org.uk. 


Please send us your responses by Monday 9 September 2019. 


Privacy Statement 


For this consultation, we will publish all responses except for those where 
the respondent indicates that they are an individual acting in a private 
Capacity (e.g. a member of the public). All responses from organisations 
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and individuals responding in a professional capacity will be published. We 
will remove email addresses and telephone numbers from these 
responses; but apart from this, we will publish them in full. 


For more information about what we do with personal data please see our 
privacy notice. 


Questions 


Note: when commenting, please bear in mind that, on the whole, the 
code does not duplicate the content of existing guidance on particular 
data protection issues, but instead encourages the reader to refer to the 
most up to date guidance on the ICO website. 


Qi Does the updated code adequately explain and advise on the new 
aspects of data protection legislation which are relevant to data 
sharing? 


Yes 


[| No 


Q2 If not, please specify where improvements could be made. 


Q3 Does the draft code cover the right issues about data sharing? 
Yes 


[| No 
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Q4 If no, what other issues would you like to be covered in it? 


Q5 Does the draft code contain the right level of detail? 
L Yes 


K No 


Q6 If no, in what areas should there be more detail within the draft 
code? 


Clearer guidance is needed to define the Article 14 responsibilities for Data Controllers 
participating in data sharing arrangements. Existing ICO guidance Is not clear as fo when 
each Controller should be responsible for issuing a fair processing notice, nor the extent to 
which a Controller can rely on the fair processing notice issued by the party initially 
collecting the data. If the Controller collecting the data initially covers off the sharing of 
personal data and purposes of processing in their Article 13 notice, there does not appear 
to be any merit for the Controllers who subsequently receive the data to then Issue an 
Article 14 notice. 


There is a danger that the data subjects may receive a number of notices from 
organisations who they have no relationship with. This could confuse and potentially worry 
data subjects who are likely to only expect contact from the Controller they have a direct 
relationship with. This is particularly true where a Controller may receive basic personal 
data from another Controller, but the data processing activity conducted by that 
Controller will have no impact on a data subject. For example, witness details to an 
accident may be shared with an insurance company following an accident, and it may 
never be necessary for the insurance company to contact that witness. 


The Article 14 requirements are not clear in the Code of Practice itself, and existing 
guidance on the ICO website is not as detailed as it could be. The inclusion of specific 
examples would be very helpful. It will be important to Understand when an Article 14 
notice must be provided within data sharing arrangements, and to provide clear 
examples as to what would be ‘disproportionate effort.’ 
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Q7 Has the draft code sufficiently addressed new areas or 
developments in data protection that are having an impact on your 
organisation's data sharing practices? 


Yes 


O No 


Q8 If no, please specify what areas are not being addressed, or not 
being addressed in enough detail 


Q9 Does the draft code provide enough clarity on good practice in data 
sharing? 


[|] Yes 


K No 


Q10 If no, please indicate the section(s) of the draft code which could be 
improved, and what can be done to make the section(s) clearer. 


The Code of Practice would benefit from clearer guidance as to what checks should be 

implemented prior to any data sharing where automated decision making is present. An 

example focussing upon what organisations need to consider before sharing data where 
machine learning or automated decision-making has taken place would be helpful. 


The Code of Practice also makes a statement on page 51 which does not feel workable in 
practice. The Code of Practice advises that, ‘In a data sharing arrangement it is good 
practice to provide a single point of contact for individuals, which allows them to exercise 
their rights over the data that has been shared without making multiple requests to several 
organisations. However, they are permitted to choose fo exercise their rights against any 
controller they wish.’ Where more than one Data Controller is involved in sharing of 
personal information, contact points are provided for individuals to contact each 
Controller to fulfil data subject rights which that Controller is responsible for. A single point 
of contact would complicate arrangements and potentially hinder the data subject 
receiving a direct and timely response to their request. 
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On page 26, the Code of Practice advises that Joint Controllers should, ‘make essence of 
agreement,’ available to data subjects. Clearer guidance as to what the ICO expects 
Controllers to include when communicating the ‘essence of agreement’ to data subjects 
is needed, as it is unclear what level of detail is required. An example as to the type of 
information and level of detail required would be useful. 


Qii Does the draft code strike the right balance between recognising 
the benefits of sharing data and the need to protect it? 


Yes 


O No 


Q12 If no, in what way does the draft code fail to strike this balance? 


Q13 Does the draft code cover case studies or data sharing scenarios 
relevant to your organisation? 


[|] Yes 


K No 


Q14 Please provide any further comments or suggestions you may have 
about the draft code. 
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Whilst the case studies and data sharing scenarios are useful, more private sector case 
studies would be beneficial. Examples included in the Code of Practice and Annex D are 
very public sector focussed. Greater use of private sector examples throughout the Code 
of Practice would really bring the guidance to life, particularly if focussed on 
developments in Artificial Intelligence and Machine Learning. 


Q15 To what extent do you agree that the draft code is clear and easy 
to understand? 


O Strongly agree 
Agree 
O Neither agree nor disagree 
L Disagree 
O Strongly disagree 

Q16 Are you answering as: 


L] An individual acting in a private capacity (e.g. someone 
providing their views as a member of the public of the public) 


L] An individual acting in a professional capacity 
On behalf of an organisation 
O Other 


Please specify the name of your organisation: 


Direct Line Group 


Thank you for taking the time to share your views and experience. 


